SA-4 Acquisition Process
Statement
Overseeing the acquisition of information system products and services plays an important role in supporting the management of technology (e.g., hardware, software, and services) for the University. Establishing limits for security and access controls reduces the overall risk of liability, embarrassment, loss of revenue, loss of data, or loss of trust to the university and the community.
Applicability
This Control applies to all West Texas A&M University personnel who currently have, or will have, a vendor, third party or cloud computing service provider agreement or contract. The procedures in this control shall be applied to new contracts or agreements, renewal of existing contracts or agreements, the necessary review of existing contracts or agreements when security mandates change, and all amendments to existing contracts or agreements. Information resources contracts must include all terms required in this control.
Implementation
INFORMATION RESOURCE OWNER/CUSTODIAN RESPONSIBILITIES
- A risk assessment should be conducted prior to engaging any technology agreement or contract.
- To assure compliance with this section, owners of information resources, or their designees, entering a contract for services with a third party or cloud computing service provider must submit proper IT project management documentation to allow for proper information security and privacy reviews are completed prior to execution of any contract.
- The owner of the information resource, or designee, will coordinate review of formal modifications or contract amendments through the university contract administration office and the chief information officer if it is necessary to renew or modify a third party or cloud computing service provider contract or agreement with the university.
- The departmental unit managing the procured service shall maintain accountability for the privacy and security of institutional data.
- Cloud based systems which are mission critical and/or store or process confidential information require at a minimum:
- A contract in place that has been reviewed and approved by University Contract Administration
- explicit authorization of the data owner
- explicit authorization of the CIO and ISO.
THIRD PARTY OR CLOUD COMPUTING SERVICE PROVIDER RESPONSIBILITIES
- Cloud computing service providers are required to maintain TX-RAMP or Fed-Ramp certification(s) in accordance with Texas Senate Bill 475.
- Third party or cloud computing service provider personnel are responsible for being familiar with all contract requirements which includes adhering to all applicable university Rules, SAPs, and Controls.
- Contracts and agreements shall require third party personnel and cloud computing service provider personnel to report all incidents, suspected or confirmed, that affect institutional data directly to the university Information Security Officer or designee as soon as practically possible,
UNIVERSITY CONTRACT ADMINISTRATION
- The university contract administration office is responsible for incorporating appropriate language into contracts related to information resources and information security.
RESEARCH COLLABORATORS
- At the discretion of the Chief Information Officer or Information Security Officer, research collaboration related to information resources may not require a formal contract on an individual project basis. However, the research collaborator (i.e., university employee) is still responsible for following all other university Rules, SAPs, and Controls
IT REVIEW REQUIREMENTS
IT Security and Privacy reviews are required for all new software acquisitions and renewals. These reviews will be based on risk management decisions. Reviews of systems which are mission critical and/or store or process confidential information require at a minimum:
- Security and privacy functional requirements
- Security and privacy strength requirements
- Security and privacy assurance requirements
- Security and privacy related documentation requirements
- Requirements for protecting security-related documentation
- Description of the information system development environment and environment in which the system is intended to operate
- Acceptance criteria
- Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management
Questions concerning information technology security shall be referred to the university’s information security officer @ security@wtamu.edu.